Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How can I stop admin users from changing Firefox configuration files.

  • 9 replies
  • 1 has this problem
  • 1 view
  • Paskiausią atsakymą parašė disaak

more options

I need to configure Firefox in an enterprise environment. Other that using 3rd part group policy templates which I do not want to do, the only option I have found to lock it down is using preference files. This will lock down Firefox but I need a way to stop an admin user from manually editing the configuration files.

I thought of using a group policy preference to copy the preference files on every GP refresh but it can take up to 90 minutes for the policy to apply. Is there a better way to lock down the files themselves?

I need to configure Firefox in an enterprise environment. Other that using 3rd part group policy templates which I do not want to do, the only option I have found to lock it down is using preference files. This will lock down Firefox but I need a way to stop an admin user from manually editing the configuration files. I thought of using a group policy preference to copy the preference files on every GP refresh but it can take up to 90 minutes for the policy to apply. Is there a better way to lock down the files themselves?

Chosen solution

Thank you everyone. I think the best thing is to use group policy preferences to copy the configuration files. They can still be changed but at least they will be replaced every 90 minutes.

I will mark this a resolved.

Skaityti atsakymą kartu su kontekstu 👍 0

All Replies (9)

more options

An administrator has the ability to bypass any kind of block. However, what you could do is to copy those files you don't want to be changed to a thumb drive and keep it in your pocket.

There is also; http://portableapps.com/apps/internet/firefox_portable Mozilla Firefox, Portable Edition

A fully functional package of Firefox optimized for use on a USB key drive. A specialized launcher will allow most favorite extensions to work as you switch computers.

Firefox Portable is a 3rd-party build. Support is available here: http://portableapps.com/forums/support/firefox_portable

more options

Thank you but I am not trying to stop someone from messing with my configuration files. I am trying to stop users from messing with the configuration files on their computers when they have been given admin access.

more options

You may want to ask on the EWG mailing list. See: https://wiki.mozilla.org/Enterprise

more options

Thank you. I will do that.

more options

disaak said

Thank you but I am not trying to stop someone from messing with my configuration files. I am trying to stop users from messing with the configuration files on their computers when they have been given admin access.

This is where you don't give them Admin permission you create in case of W7 and later "Limited" User accounts. They shouldn't need admin access at all. This is where you will run into trouble as you found out. User will do damage regardless and not giving them Admin is the first part not to do. And question begs why should they have Admin to start with.

more options

Just a thought

Would making the config files and folders ‘Read Only’ work

more options

WestEnd, you are preaching to the choir. Unfortunately I don't make the decision on whether users do or don't get local admin. It would take a major culture change to get rid of local admin that people above me are not willing to make.

As far as admins getting around anything that might be put in place, that doesn't mean you can't make it as difficult as possible for them.

chrisjw37, that might help a bit but is easily reversible.

Thank you

more options

Maybe the only thing that would work is to use a CMD file to launch Firefox and make sure that the configuration files are correct or just replace them.

more options

Chosen Solution

Thank you everyone. I think the best thing is to use group policy preferences to copy the configuration files. They can still be changed but at least they will be replaced every 90 minutes.

I will mark this a resolved.